Directly spying? No. Indirectly via meta data gained from the cloud function? Yes. I personally just disable it because it's pointless if you know how to avoid running suspicious exe files.
remove IPv6 from autoruns breaks cortana but reduce the time to login edit its breaks most of the OS its cant auth with microsoft servers after creating the first user it OK to remove but reset/sysperp the OS will break it for good however there a way to recover it with exported backup reg file edit2: its reduce the traffic from the os i think to none i played with for 2 hours its looks ok cortana suddenly start working without any connection i added to topic
Probably the news for someone, real keylogger now. Despite both Cortana and Bing are turned off, even via GP, SearchUI.exe send any keys you typed in the taskbar search to Microsoft. I don't know how to disable it excepting Windows Firewal outgoing block rule.
SearchUI.exe can be easily disabled with a program called Process Lasso Just find SearchUI.exe in it's task list, then right click and choose Terminate Always.
I noticed a pre-existing setting for "Search" in the outgoing firewall settings. Perhaps disabling this will stop the data from being sent?
Topic Updated I'm trying new settings which doesn't break anything and the traffic still quiet enuf I'm recommending block Cortana also, available in topic edit i dont get it, why IE need those left if always 0 packets sent / receive
I don't have standard outdound Search rule despite FW settings are restored to their default. Probably because both Cortana and Bing are well disabled via registry and Group Policy before, so I make it by yourself just for SearchUI.exe In other topic here I notice this way of adding FW rule via registry (I don't test it, just for info): Code: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules] "{2765E0F4-2918-4A46-B9C9-43CDD8FCBA2B}"="v2.24|Action=Block|Active=TRUE|Dir=Out|App=C:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe|Name=Search and Cortana application|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|"
Add this rule to windows built in firewall and your OS become as dull cannon. Spoiler Code: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules] "{49CA6DEB-DCE7-4186-987F-D0284964FA47}"="v2.24|Action=Block|Active=TRUE|Dir=Out|App=C:\\Windows\\system32\\wwahost.exe|Name=Windows Applications (auto)|" "{6335365E-38DF-4F8C-BD0D-DCD11F79DF2D}"="v2.24|Action=Block|Active=TRUE|Dir=Out|RA4=131.253.61.98|App=C:\\windows\\system32\\svchost.exe|Svc=dmwappushservice|Name=Windows Dmwappushservice|" "{60E6D465-398E-4850-BE86-7EF7620A2377}"="v2.24|Action=Block|Active=TRUE|Dir=Out|App=C:\\windows\\system32\\svchost.exe|Svc=DiagTrack|Name=Windows Telemetry|" "{2765E0F4-2918-4A46-B9C9-43CDD8FCBA2B}"="v2.24|Action=Block|Active=TRUE|Dir=Out|App=C:\\windows\\systemapps\\microsoft.windows.cortana_cw5n1h2txyewy\\searchui.exe|Name=Search and Cortana application|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|" "{2F1EB671-4A03-4BA3-8D97-8FD9F8858759}"="v2.24|Action=Block|Active=TRUE|Dir=Out|Protocol=6|RPort=80|RPort=443|App=C:\\windows\\system32\\wermgr.exe|Name=Windows Problem Reporting|" "{882329F0-8BA4-4594-B114-BAC2DB35127B}"="v2.24|Action=Block|Active=TRUE|Dir=Out|Protocol=6|RPort=443|App=C:\\program files\\windows defender\\mpcmdrun.exe|Name=Microsoft Malware Protection Command Line Utility|" "{454A996E-A17C-4D58-9C89-1E1A919B6C7C}"="v2.24|Action=Block|Active=TRUE|Dir=Out|Protocol=6|RPort=80|RPort=443|App=C:\\windows\\system32\\rundll32.exe|Name=Windows host process (Rundll32)|" "{A38B0F49-40F2-4AAF-8944-07A7BF116A70}"="v2.24|Action=Block|Active=TRUE|Dir=Out|Protocol=6|RPort=80|RPort=443|App=C:\\windows\\system32\\sihclient.exe|Name=SIH Client|" "{2B930A7C-4B6B-49ED-92EE-7966287150AD}"="v2.24|Action=Block|Active=TRUE|Dir=Out|Protocol=6|RPort=80|RPort=443|App=C:\\windows\\system32\\searchindexer.exe|Name=Microsoft Windows Search Indexer|" "{14EA9999-E20B-4894-AF9C-A2DECF661549}"="v2.24|Action=Block|Active=TRUE|Dir=Out|Protocol=6|App=%ProgramFiles%\\Windows Defender\\MsMpEng.exe|Svc=WinDefend|Name=Block All Out traffic from WinDefend|" "{DD68A878-61B0-421E-A029-AEDB0CFBCD78}"="v2.24|Action=Block|Active=TRUE|Dir=Out|Protocol=6|RPort=80|RPort=443|App=C:\\program files\\windows defender\\msascui.exe|Name=Windows Defender User Interface|" "{4B5FB038-7A91-46CB-9FD2-A8C9A5375E3B}"="v2.24|Action=Block|Active=TRUE|Dir=Out|Protocol=6|RPort=80|RPort=443|App=C:\\windows\\systemapps\\microsoft.windows.cortana_cw5n1h2txyewy\\searchui.exe|Name=Search application|" "{46319005-5AA7-4404-93BD-9F5BA8742D5A}"="v2.24|Action=Block|Active=TRUE|Dir=Out|App=%SystemRoot%\\explorer.exe|Name=Block All Out traffic from Explorer|" "{C6F71C19-BD3A-41D6-93D3-3CE207457037}"="v2.24|Action=Block|Active=TRUE|Dir=Out|Protocol=6|RPort=80|RPort=443|App=C:\\windows\\system32\\svchost.exe|Svc=IKEEXT|Name=Process for Windows Services [IKEEXT]|" "{EEAAEC5C-4623-49B8-BE54-09B4489CCC0A}"="v2.24|Action=Block|Active=TRUE|Dir=Out|App=%SystemRoot%\\System32\\MRT.exe|Name=Block Out from MRT|" "{95C92362-4331-45BD-84B8-6652DCF58631}"="v2.24|Action=Block|Active=TRUE|Dir=Out|RA4=8.18.0.0/255.255.0.0|RA4=23.45.0.0/255.255.0.0|RA4=23.99.0.0/255.255.0.0|RA4=23.102.0.0/255.255.0.0|RA4=23.203.0.0/255.255.0.0|RA4=64.4.0.0/255.255.0.0|RA4=64.20.0.0/255.255.0.0|RA4=65.52.0.0/255.255.0.0|RA4=65.55.0.0/255.255.0.0|RA4=69.172.0.0/255.255.0.0|RA4=74.125.0.0/255.255.0.0|RA4=93.184.0.0/255.255.0.0|RA4=131.253.0.0/255.255.0.0|RA4=134.170.0.0/255.255.0.0|RA4=137.117.0.0/255.255.0.0|RA4=161.69.0.0/255.255.0.0|RA4=168.62.0.0/255.255.0.0|RA4=178.255.0.0/255.255.0.0|RA4=191.236.0.0/255.252.0.0|RA4=199.166.0.0/255.255.0.0|RA4=204.79.0.0/255.255.0.0|Name=Microsoft Blocklist IP|Desc=Rule created by script on 08/15/2015 00:04:38. Do not edit rule by hand.|"
It is not registry tweak, are windows built in firewall rules to block outbound connections for windows telemetry app with services. All pre-existing and new created windows firewall rule setting you can find, open "regedit" and find reg key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules